Description

The openSUSE Build Service supports the signing of RPM and DEB packages with a GPG key. This is relatively automated; however, the setting up of the signer can be long and complicated, as well as expose some unwanted information. You'll want to make sure that this is set up on a locked down server.

Instructions

Required Packages

You will need:

the obs-signd package from the openSUSE:Tools repository

a gpg2 package with the files-are-digests.patch applied

The obs-signd package (starting at about version 2.1.12) has a dependency on the virtual requirement gpg2_signd_support, which in turn is complementarily provided an appropriate gpg2 package.

openSUSE (starting from 11.3, and newer) ships gpg2 with gpg2_signd_support.
For other distributions, a patch is needed for GPG.

Note that Gnupg 2.2 has new upstream functionality that will make this patch obsolete, but obs-signer needs to be updated to make use of it.

Set up the GPG key

You will need to su-to-root and use gpg to create a master key with multiple encryption and signing types as follows:

Signing EFI binaries/kernel modules for EFI Secure Boot

Detached signer machine

Any OBS admin with root can access the master gpg private key, and thus decrypt and access every project private signing key. If this is undesirable, a separate machine can be added to the same LAN and can be further restricted and used as a remote signer. It is recommended to follow all best practices for mission critical machines (bare metal, encrypted disk, ssh access only via public key, strict firewall rules, back-to-back network connection with main OBS instance, etc).

The only software to install is the obs-signd package. Follow the above instructions to generate a GPG master key, but then in /etc/sign.conf instead of 127.0.0.1 set the main OBS instance IP address in the "allow" field. At the same time, on the main OBS instance in the same file, use the signer machine instead of 127.0.0.1 in the "server" field. The default TCP port used by signer/signd is 5167.

No global key

Leaving $keyfile in BSConfig.pm empty/commented out will cause packages in a project that has no signkey available to remain stuck in the "signing" state until signing can be performed.

No secret key found and GNUPGHOME

The /etc/init.d/obssignd from obs-signd-2.1.2-1.1 rpm package sets the GNUPGHOME to /obs/gnupg before starting signd daemon. If you followed the above instructions, your GNUPGHOME will be /root/.gnupg.

One solution is to copy the /root/.gnupg to /obs/gnupg , or use symlinks. Another would be to edit /etc/sysconfig/signd to set up the GNUPGHOME (look at /var/adm/fillup-templates/sysconfig.signd).

No OpenSSL certificate at build/sign time

OBS will create and make available an OpenSSl certificate for EFI signing only if there is a per-project key available (or in the parent). In case the global master key is used directly, this will not be possible. Create a project key with osc signkey --create $project.

Project keys creation and storage details

This paragraph attempts to document how signd works under the hood when signing a project.

Upon the first signing request on a new project, if a project or any of its parents do not have a key, the backend will ask signd to create a new keypair and an SSL certificate. They are stored in the DB.

The keypair is also stored on the filesystem, under $projectsdir/$projectid.pkg as _pubkey, a GPG ASCII format public key, and _signkey, a GPG binary format secret key encrypted with the signer's GPG public key (the one created by the instructions on this page) and stored as an ASCII hex string.

On each signature request, the backend will send the files/data to be signed to signd together with the project's public key and encrypted private key.
So, only the signer machine and those with access to it are able to access the private key of a project.